RSA SFO 2011 is done

This week has been a blitz of sessions, one-on-one deep discussions, and random swarms of passionate people descending on any table to discuss all things information security. The sessions were good, the products somewhat interesting, and the networking was fantastic. I did my best to tweet as much as I could from sessions throughout the conference, but there is a theme I saw and wanted to share for debate and consumption.

The risks are severe and quite frankly the offensive capability of attackers (individuals, attack teams like Anonymous, and nation state sponsored groups) is excellent. Organizations are suffering from exfiltrated data at an alarming scale, and lack of maturity in managing these threats is ad-hoc.

A single vendor this would come across as F.U.D., but this was expressed by the Director of the NSA, and at nearly every session and keynote.

So what does this mean? Well, much like at RSA there is a need to translate and form an opinion, or lovingly called the ‘Apply Slide’. Below are the points that resonated for me – in no particular priority order:

There is a need for a more meaningful appreciation of what is valuable to every organization. This discussion needs to happen with the management, legal, risk management, internal audit, and technology leadership. A primary effort of bringing these individuals together is to ascertain what is valuable and what forms may it exist throughout the business.

A sophisticated incident handling process is needed. This is a topic highlighted by the likes of Google and Signal Intelligence experts. The point though was lost I feel to the majority of attendees. The need is not simply to have trained team members with tools to be activated in the case of a breach. That is needed, but there is a much deeper need:

The maturing and sustaining of a firmwide global effort to respond to every infection / malware-instance / behavioral anomaly. Here is the thesis: Today most of these are addressed through a help desk function that follows a decade old process of risk identification and remediation. The common response is to update patches and have the behavior cease (removal of the error is considered a “fix”). It is widely accepted that the attackers and infection tools are highly sophisticated, and removal is not a linear path nor a guarantee of a “clean” system. In addition the statistics reinforce this fact when we look at the effectiveness of the anti-virus tools, the amount of malware that is unique and unknown, and the percentage of exfiltration events that occur resulting from this code. Finally, there is a stigma to ‘activating an incident response’ team in many organizations. Together these create an atmosphere where keyloggers / botnets / stuxnet / and similar malware toolsets can infect, avoid destruction, increase infiltration, and have intelligent exfiltration of desired data.

Cloud was a very popular topic all week, and despite professional annoyance of the media focusing on a single aspect of information technology one simple fact remains true. These sessions were packed. The information provided was not clear and visibility remains beyond immediate grasp. So – my response here is … these sessions were packed and the term is everywhere, because we do not have this at a state of understanding. I foresee this will be a long and great area to continue developing.